From d0f377709746005db47255ae395df57fb99fbce1 Mon Sep 17 00:00:00 2001 From: Matt Birkholz Date: Tue, 16 Dec 2025 15:16:50 -0700 Subject: [PATCH] Use ED25519 SSH keys with the admin and monkey accounts. --- README.org | 32 ++++++++++++++------------- Secret/ssh_admin/id_ed25519 | 8 +++++++ Secret/ssh_admin/id_ed25519.pub | 1 + Secret/ssh_admin/id_rsa | 38 -------------------------------- Secret/ssh_admin/id_rsa.pub | 1 - Secret/ssh_monkey/id_ed25519 | 7 ++++++ Secret/ssh_monkey/id_ed25519.pub | 1 + Secret/ssh_monkey/id_rsa | 38 -------------------------------- Secret/ssh_monkey/id_rsa.pub | 1 - hosts | 2 +- inst | 9 ++++---- roles_t/core/tasks/main.yml | 6 ++--- roles_t/front/tasks/main.yml | 4 +--- 13 files changed, 44 insertions(+), 104 deletions(-) create mode 100644 Secret/ssh_admin/id_ed25519 create mode 100644 Secret/ssh_admin/id_ed25519.pub delete mode 100644 Secret/ssh_admin/id_rsa delete mode 100644 Secret/ssh_admin/id_rsa.pub create mode 100644 Secret/ssh_monkey/id_ed25519 create mode 100644 Secret/ssh_monkey/id_ed25519.pub delete mode 100644 Secret/ssh_monkey/id_rsa delete mode 100644 Secret/ssh_monkey/id_rsa.pub diff --git a/README.org b/README.org index 63521cd..68a145b 100644 --- a/README.org +++ b/README.org @@ -411,7 +411,7 @@ commands will work. Chief among the institute's master secrets is the SSH key authorized to access privileged accounts on /all/ of the institute servers. It -is stored in [[file:Secret/ssh_admin/id_rsa][=Secret/ssh_admin/id_rsa=]]. The complete list of the +is stored in [[file:Secret/ssh_admin/id_rsa][=Secret/ssh_admin/id_ed25519=]]. The complete list of the institute's SSH keys: - [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] :: The SSH key pair for A Small Institute @@ -855,7 +855,8 @@ concatenated a personal public ssh key and the key found in file, copied it to the droplet, and installed it as the =authorized_keys= for ~sysadm~. -: notebook$ cat ~/.ssh/id_rsa.pub Secret/ssh_admin/id_rsa.pub \ +: notebook$ cat ~/.ssh/id_ed25519.pub \ +: notebook_ Secret/ssh_admin/id_ed25519.pub \ : notebook_ > admin_keys : notebook$ scp admin_keys sysadm@159.65.75.60: : The authenticity of host '159.65.75.60' can't be established. @@ -1007,7 +1008,8 @@ key found in [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The =admin_keys= file, copied it to Core, and installed it as the =authorized_keys= for ~sysadm~. -: notebook$ cat ~/.ssh/id_rsa.pub Secret/ssh_admin/id_rsa.pub \ +: notebook$ cat ~/.ssh/id_ed25519.pub \ +: notebook_ Secret/ssh_admin/id_ed25519.pub \ : notebook_ > admin_keys : notebook$ scp admin_keys sysadm@core.lan: : The authenticity of host 'core.lan' can't be established. @@ -1153,7 +1155,8 @@ key found in [[file:Secret/ssh_admin/][=Secret/ssh_admin/=]] (created by [[*The =admin_keys= file, copied it to Gate, and installed it as the =authorized_keys= for ~sysadm~. -: notebook$ cat ~/.ssh/id_rsa.pub Secret/ssh_admin/id_rsa.pub \ +: notebook$ cat ~/.ssh/id_ed25519.pub \ +: notebook_ Secret/ssh_admin/id_ed25519.pub \ : notebook_ > admin_keys : notebook$ scp admin_keys sysadm@gate.lan: : The authenticity of host 'gate.lan' can't be established. @@ -1429,11 +1432,9 @@ key on Core. - name: Authorize monkey@core. become: yes - vars: - pubkeyfile: ../Secret/ssh_monkey/id_rsa.pub authorized_key: user: monkey - key: "{{ lookup('file', pubkeyfile) }}" + key: "{{ lookup('file', '../Secret/ssh_monkey/id_ed25519.pub') }}" manage_dir: yes - name: Add {{ ansible_user }} to monkey group. @@ -2861,9 +2862,9 @@ described in [[apache2-core][*Configure Apache2]]). owner: monkey group: monkey loop: - - { name: config, mode: "u=rw,g=r,o=" } - - { name: id_rsa.pub, mode: "u=rw,g=r,o=r" } - - { name: id_rsa, mode: "u=rw,g=,o=" } + - { name: config, mode: "u=rw,g=r,o=" } + - { name: id_ed25519.pub, mode: "u=rw,g=r,o=r" } + - { name: id_ed25519, mode: "u=rw,g=,o=" } - name: Configure Monkey SSH known hosts. become: yes @@ -5589,7 +5590,7 @@ describes three test servers named ~front~, ~core~ and ~gate~. all: vars: ansible_user: sysadm - ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa + ansible_ssh_extra_args: -i Secret/ssh_admin/id_ed25519 hosts: front: ansible_host: 192.168.58.3 @@ -6023,15 +6024,16 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") { mysystem "mkdir Secret/ssh_admin"; chmod 0700, "Secret/ssh_admin"; - mysystem ("ssh-keygen -q -t rsa", + mysystem ("ssh-keygen -q -t ed25519", "-C A\\ Small\\ Institute\\ Administrator", - "-N '' -f Secret/ssh_admin/id_rsa"); + "-N '' -f Secret/ssh_admin/id_ed25519"); mysystem "mkdir Secret/ssh_monkey"; chmod 0700, "Secret/ssh_monkey"; mysystem "echo 'HashKnownHosts no' >Secret/ssh_monkey/config"; - mysystem ("ssh-keygen -q -t rsa -C monkey\@core", - "-N '' -f Secret/ssh_monkey/id_rsa"); + mysystem ("ssh-keygen -q -t ed25519", + "-C monkey\@core.$domain_priv", + "-N '' -f Secret/ssh_monkey/id_ed25519"); exit; } #+END_SRC diff --git a/Secret/ssh_admin/id_ed25519 b/Secret/ssh_admin/id_ed25519 new file mode 100644 index 0000000..1a770fe --- /dev/null +++ b/Secret/ssh_admin/id_ed25519 @@ -0,0 +1,8 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACA1XokUICuJZNl/0jUYCMF0EY33FB39rSzWqyhEMUt8HQAAAKhs6XetbOl3 +rQAAAAtzc2gtZWQyNTUxOQAAACA1XokUICuJZNl/0jUYCMF0EY33FB39rSzWqyhEMUt8HQ +AAAED51aOh8vm3pNftfDyGSY6IqL1ygrsvx3mVB1YaGSO2sDVeiRQgK4lk2X/SNRgIwXQR +jfcUHf2tLNarKEQxS3wdAAAAH0EgU21hbGwgSW5zdGl0dXRlIEFkbWluaXN0cmF0b3IBAg +MEBQY= +-----END OPENSSH PRIVATE KEY----- diff --git a/Secret/ssh_admin/id_ed25519.pub b/Secret/ssh_admin/id_ed25519.pub new file mode 100644 index 0000000..74b56a5 --- /dev/null +++ b/Secret/ssh_admin/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDVeiRQgK4lk2X/SNRgIwXQRjfcUHf2tLNarKEQxS3wd A Small Institute Administrator diff --git a/Secret/ssh_admin/id_rsa b/Secret/ssh_admin/id_rsa deleted file mode 100644 index f4936a8..0000000 --- a/Secret/ssh_admin/id_rsa +++ /dev/null @@ -1,38 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn -NhAAAAAwEAAQAAAYEA18V56hWlKt1gJplvz/DjJt3HwBiaC9VAvMo27Ec7et0ZrrCA9grz -0yXzv7GzQMQyhzwb2CaosAWPFodlQQ16DtpVgCvSTkr1zGWUZgYe2JOvjbD0m3meh9w4M3 -Zirm7OBOVxHZJjoor8ohgVosMwygDqlr2+tMlgwzRLh8hjc5yo8i/pwDs7pdYT+X9t7193 -lYU8VdM3QpZLLyKaRrGGNxL4TMWrJ47xjoRAs9T6v/Tz8WpGNZASjBY/Moe+VH2CckYlHB -VFWQ/3UMgzI+4LYob+ADYlACIJ/eCOBrfbfGtjoi8qyoSQME0K7OAgPrLmPt7g3KdhbkAL -7s6WtpqFLnzXrUJ/WGAqQkGoqPCNzfTeTzqjxrTU//Bb9cMFrJf09+tzSZmu5a7UFyoKud -mGJmlDZx8Txaiz//RC2gCmyq103pdHsPy8lRDukCen1O5RNy2DBeQ54JXjqbjh8kHSCSr0 -qAm+4pQ7hvHpGXd2RETobch5a+1HB67ZmTGI4ZUXAAAFkFdJqqNXSaqjAAAAB3NzaC1yc2 -EAAAGBANfFeeoVpSrdYCaZb8/w4ybdx8AYmgvVQLzKNuxHO3rdGa6wgPYK89Ml87+xs0DE -Moc8G9gmqLAFjxaHZUENeg7aVYAr0k5K9cxllGYGHtiTr42w9Jt5nofcODN2Yq5uzgTlcR -2SY6KK/KIYFaLDMMoA6pa9vrTJYMM0S4fIY3OcqPIv6cA7O6XWE/l/be9fd5WFPFXTN0KW -Sy8imkaxhjcS+EzFqyeO8Y6EQLPU+r/08/FqRjWQEowWPzKHvlR9gnJGJRwVRVkP91DIMy -PuC2KG/gA2JQAiCf3gjga323xrY6IvKsqEkDBNCuzgID6y5j7e4NynYW5AC+7OlraahS58 -161Cf1hgKkJBqKjwjc303k86o8a01P/wW/XDBayX9Pfrc0mZruWu1BcqCrnZhiZpQ2cfE8 -Wos//0QtoApsqtdN6XR7D8vJUQ7pAnp9TuUTctgwXkOeCV46m44fJB0gkq9KgJvuKUO4bx -6Rl3dkRE6G3IeWvtRweu2ZkxiOGVFwAAAAMBAAEAAAGAKECcx8CV+XMm9sx1AXPMzHlfRE -TSqBZ2Z0HKETYQsJECs4YV6NCOP/u6hy5dZF21l2jtQNulaIEA+pDzoLkk5hRxEuIZ76Uo -SaNBle7aXkje3S3/0+lSW8IHcgJJ0oS1RlCPU5b1o2MOUibwElcbiPO2z7xCEXPn60KcPI -5zjyPQmK27i7MBI6TWQRs2pQtIQcqDQPeQPYnQKNDpuvpvMWMGkzvk/BI8mfuuHl5DEQBf -adALnP5tl1inHYQZS6XGElx7PrVuRahv/h3Img7WAI8G7whRmxha3nje2Xk4hY3M2mlaUJ -odHVaYwpv1uBmeevfUJ38AGAYmGIeijuqC6tx6/4Zn1qc6DsH272nOnbYmuHHJpb8p8LbV -xiHM8VsSAsqt6LRUKoaQddrZrhL2N0LT2iZ0KIFKz3OnMXYM5R9N8K5hq5o012Kxk4mbHt -e0fF3IFBoUeySZMRnPYbHRML7CcHdJQqHa2w+HwR06WdauHw9SLHXVMUm7VB3KfuohAAAA -wG0ARc3IXG2+nYAP5MvcluSeYIyqqXb/l9H2hnioXzGn684t/O1ZCtuBKC7jXYKL7+UeSZ -Ww0j1TvVnOFqSH5wwHfuY5+fHusf1/HDuhmfoo029dWthC11PjzZYZOFl4D5CgO2SX0Pbu -Gzw7PAUubjdIGmbiYFClnTPP9g72fmNPlflTrDjIDh7oSjQCJ48c/UDNS6t95bIZmA35Yn -BN0u0DZPHl1vtsLjWH3p/mBJPYCqUc6QDZ2nFE9xy0VJT6HwAAAMEA7lorbF3zkG6wKoH1 -PHqzNl0hvObOfKh9XilX96ijJQUfx+jR3ScU16xEwgUDPkN06agYtT9b/BCzcOheug4Ve/ -2WWopTI0m2ZgXDIlTwt7yIktNxgIdLrDyp8F6mhbQnhpcVL8Peekl/Bp1YbVHz/t4VrWQs -IBZJ8peb+Wlv/HuCWYjrHxM2J62ThXN5CS/lmzkXopLucexb5GKTJ0We2COIxR9AQSN7+p -PL83sv32ZmqF0OD36QFAvAXFIdzRs5AAAAwQDnv0y/UophQqQbZAs8LnQzmKNkMyQFYY3S -Lx86ZtQx6XXPAVvxgIoj/lPQuC4g55QUS/LXep+pP9fUFvvWlbHgqMJZWT+okJiA+z5R86 -P3AUGfPtL4OdroZPRgnHc1IMpDSo2v671uT97AKIi8lOHNO6EJdZcjIjIWcJKAVD5nFl6Q -sQIdKLWsl3k7IcN+wT2ABD1zRQ3Yl0O5t0l8GpW39fmzjsmiwdWuvcm2x2TxTmfaqdVmkR -qOUKDCECbDIs8AAAAXSW5zdGl0dXRlIEFkbWluaXN0cmF0b3IBAgME ------END OPENSSH PRIVATE KEY----- diff --git a/Secret/ssh_admin/id_rsa.pub b/Secret/ssh_admin/id_rsa.pub deleted file mode 100644 index bddc724..0000000 --- a/Secret/ssh_admin/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXxXnqFaUq3WAmmW/P8OMm3cfAGJoL1UC8yjbsRzt63RmusID2CvPTJfO/sbNAxDKHPBvYJqiwBY8Wh2VBDXoO2lWAK9JOSvXMZZRmBh7Yk6+NsPSbeZ6H3DgzdmKubs4E5XEdkmOiivyiGBWiwzDKAOqWvb60yWDDNEuHyGNznKjyL+nAOzul1hP5f23vX3eVhTxV0zdClksvIppGsYY3EvhMxasnjvGOhECz1Pq/9PPxakY1kBKMFj8yh75UfYJyRiUcFUVZD/dQyDMj7gtihv4ANiUAIgn94I4Gt9t8a2OiLyrKhJAwTQrs4CA+suY+3uDcp2FuQAvuzpa2moUufNetQn9YYCpCQaio8I3N9N5POqPGtNT/8Fv1wwWsl/T363NJma7lrtQXKgq52YYmaUNnHxPFqLP/9ELaAKbKrXTel0ew/LyVEO6QJ6fU7lE3LYMF5DngleOpuOHyQdIJKvSoCb7ilDuG8ekZd3ZEROhtyHlr7UcHrtmZMYjhlRc= A Small Institute Administrator diff --git a/Secret/ssh_monkey/id_ed25519 b/Secret/ssh_monkey/id_ed25519 new file mode 100644 index 0000000..4ddccc3 --- /dev/null +++ b/Secret/ssh_monkey/id_ed25519 @@ -0,0 +1,7 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW +QyNTUxOQAAACCnYqE/J6XBi02zHPTGPMgCY17Q+XFltluQZ26oqTUHHAAAAKA35YS5N+WE +uQAAAAtzc2gtZWQyNTUxOQAAACCnYqE/J6XBi02zHPTGPMgCY17Q+XFltluQZ26oqTUHHA +AAAEBL4wka2scQDIBQHX880xi4xAblWGzzGqDZA6p2T23Gi6dioT8npcGLTbMc9MY8yAJj +XtD5cWW2W5BnbqipNQccAAAAGW1vbmtleUBjb3JlLnNtYWxsLnByaXZhdGUBAgME +-----END OPENSSH PRIVATE KEY----- diff --git a/Secret/ssh_monkey/id_ed25519.pub b/Secret/ssh_monkey/id_ed25519.pub new file mode 100644 index 0000000..d96da7c --- /dev/null +++ b/Secret/ssh_monkey/id_ed25519.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKdioT8npcGLTbMc9MY8yAJjXtD5cWW2W5BnbqipNQcc monkey@core.small.private diff --git a/Secret/ssh_monkey/id_rsa b/Secret/ssh_monkey/id_rsa deleted file mode 100644 index a4084a1..0000000 --- a/Secret/ssh_monkey/id_rsa +++ /dev/null @@ -1,38 +0,0 @@ ------BEGIN OPENSSH PRIVATE KEY----- -b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn -NhAAAAAwEAAQAAAYEAng3cBVl5eiYHNpaS0ziOyz+JEtSP7A2EDnuVg/vaZ0yEJdo/qCJL -xHc1Dp5VSWpexic5KEJ3S87Z7SE6fkaDKW7Y2Gg/6mT88eXMmytYDM0JHufRa64mmfJ7f5 -Ggm9adhoiH8MAoicBMNa7ILwZfxtr5al5//NW7OMXCLE73ohGqGwPYS82Dy2PwWXRBcZz2 -qcuLNTX1MyElMnKInatIwtbgNQXiU98hO7dfT1GZLk0YABJXgahf81ERbt7oPntUeWnuJE -9M4fIHILXrNEBkifGe4uh0K20LxyO7Z3L3xAhwxuBrS6r5l5hLlGDj8k36xYtRC9fXt2lY -xiMOk2cVaWj7q1Z/vLZuih0vsnB07s/Ge8tvtZh9zI6LLGH77n7rCOXxgktvHXSD9JlN4P -1ZmOVaYwHOwiz30UdEY/RYZYGE6+wZHlSF6ROaaFrX6yebg6WTK4Yv1S16YO4oRgvnJB// -r65O4yX7fsNXF7WjyV3Iw/NWs9T3IUf7AabIsVTLAAAFgF6mN1depjdXAAAAB3NzaC1yc2 -EAAAGBAJ4N3AVZeXomBzaWktM4jss/iRLUj+wNhA57lYP72mdMhCXaP6giS8R3NQ6eVUlq -XsYnOShCd0vO2e0hOn5Ggylu2NhoP+pk/PHlzJsrWAzNCR7n0WuuJpnye3+RoJvWnYaIh/ -DAKInATDWuyC8GX8ba+Wpef/zVuzjFwixO96IRqhsD2EvNg8tj8Fl0QXGc9qnLizU19TMh -JTJyiJ2rSMLW4DUF4lPfITu3X09RmS5NGAASV4GoX/NREW7e6D57VHlp7iRPTOHyByC16z -RAZInxnuLodCttC8cju2dy98QIcMbga0uq+ZeYS5Rg4/JN+sWLUQvX17dpWMYjDpNnFWlo -+6tWf7y2boodL7JwdO7PxnvLb7WYfcyOiyxh++5+6wjl8YJLbx10g/SZTeD9WZjlWmMBzs -Is99FHRGP0WGWBhOvsGR5UhekTmmha1+snm4OlkyuGL9UtemDuKEYL5yQf/6+uTuMl+37D -Vxe1o8ldyMPzVrPU9yFH+wGmyLFUywAAAAMBAAEAAAGAdDYmj3xhWFG7vgRqgom0XHcj10 -eZZuvtLCTsI3Y7+PYGuDpH0d0drqAjz9LVTLy8YKAYY6SzSHcYP0XOV2iLKhzJrhzA2hxU -65uWnIT7IbZkPWgf0DflRA5JhdvSpqLfgjrDEV6Ir/hHULVplUHvjCwXdYF0Q7f3B+BITA -HoDC9GzsQ99kZu4E5kO7HCKMJLjz8M5Rv+ZRC64+PY1W1Ke5A4nGPuLNMEAX9rwctygNvI -iMzzsG7X1fTGh6m4Q7CznSCKPn0oPr1PNoIwUiMQzxH41L+v08AFbQ45O+kzxR/JsCS8u0 -42LVATCenxHYbVofKM26KjEYUbl/fxNmKEqRrbpaRIHM4H0aX2T1pYp0MU8dOX7N4p7ue5 -OnDanKFOyPbijkQUcK4wewH6BJ+T0coJOOl66imMlTYhRKhJpHIoKTWmnOMDzwS0hO8bZ5 -NuepYzjIdrC9juq0HtG3Wg8yqKLpJlTWCsWnk0ijYuccm7YKm67L0UDPAtz4M+4cRxAAAA -wDOqhuiqzJXx3ZM9RLJLDk9+K1/fZG+KZtQB4fD3n7pTJn2kRj2SvWtCFEEeeFznyQ5F0W -6Lkmzt/lSlKGM6NpnMpGb44uAKNoheZ1xz1Rbbwav643vXne0aC60fa+7kGk+LSnTm+sKi -GxNhrb1ZYn05dz6lTT71fIExAVWQaevwZKrd7+S2t2TSEemoHEKElCx7FGl4A+OQmyNeaC -dMKAcfepXmftqW09fesIdtmiSZmfT7+SR4Q5hHuYjC/WEwsgAAAMEAyS4Rr2xaN+ndQB8r -Xi9/VqIOQATlfYbssVheDhvsdHVdB9QUhZhjqdSIeCEzRo1JntCo2e0bXsq2ifXgudwsau -Vc4nN4OoJqynns2zzqWcPopo8HTgsIx1RdC7syOljVfMuy1VqZ55kcA4BvcHGx3gKQp1jE -B34wOh1T/UFQdttznvYw1YdkHY8KA2AICOiB2dyiOUdvTpFjPxIeMTQcW7PD4LhSE489yY -nxvF1UDqG+AMFp0r2/sbIZWI2HYvyTAAAAwQDJH2pTN9x2ljEdNDNr5sr/bx9gr3Vk5hav -eZHbvd3cCEe7FSyudU7M55rJmad2LM8BD8LbrfoHxWIsxbWQjGW+AV8ltafI+jRcZL9d/X -QPB/y59p32y/S9u0w7vtqXCpAAiTe8h6u4T5Dinib1kMIfClyd+ZJflEVc9G16ShVlVuEn -04UFLcEpzGdqKVqwTv7QJNPsvcz6K5kNQQPEmNMXy9k+FQ0bH8ADR6DfP6LVzS4CfTvvIc -jU/0Zfsu/boekAAAALbW9ua2V5QGNvcmU= ------END OPENSSH PRIVATE KEY----- diff --git a/Secret/ssh_monkey/id_rsa.pub b/Secret/ssh_monkey/id_rsa.pub deleted file mode 100644 index 2909d30..0000000 --- a/Secret/ssh_monkey/id_rsa.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeDdwFWXl6Jgc2lpLTOI7LP4kS1I/sDYQOe5WD+9pnTIQl2j+oIkvEdzUOnlVJal7GJzkoQndLztntITp+RoMpbtjYaD/qZPzx5cybK1gMzQke59FrriaZ8nt/kaCb1p2GiIfwwCiJwEw1rsgvBl/G2vlqXn/81bs4xcIsTveiEaobA9hLzYPLY/BZdEFxnPapy4s1NfUzISUycoidq0jC1uA1BeJT3yE7t19PUZkuTRgAEleBqF/zURFu3ug+e1R5ae4kT0zh8gcgtes0QGSJ8Z7i6HQrbQvHI7tncvfECHDG4GtLqvmXmEuUYOPyTfrFi1EL19e3aVjGIw6TZxVpaPurVn+8tm6KHS+ycHTuz8Z7y2+1mH3MjossYfvufusI5fGCS28ddIP0mU3g/VmY5VpjAc7CLPfRR0Rj9FhlgYTr7BkeVIXpE5poWtfrJ5uDpZMrhi/VLXpg7ihGC+ckH/+vrk7jJft+w1cXtaPJXcjD81az1PchR/sBpsixVMs= monkey@core diff --git a/hosts b/hosts index b4bde4d..3327c8a 100644 --- a/hosts +++ b/hosts @@ -1,7 +1,7 @@ all: vars: ansible_user: sysadm - ansible_ssh_extra_args: -i Secret/ssh_admin/id_rsa + ansible_ssh_extra_args: -i Secret/ssh_admin/id_ed25519 hosts: front: ansible_host: 192.168.58.3 diff --git a/inst b/inst index 4f6b5c4..fc08806 100755 --- a/inst +++ b/inst @@ -101,15 +101,16 @@ if (defined $ARGV[0] && $ARGV[0] eq "CA") { mysystem "mkdir Secret/ssh_admin"; chmod 0700, "Secret/ssh_admin"; - mysystem ("ssh-keygen -q -t rsa", + mysystem ("ssh-keygen -q -t ed25519", "-C A\\ Small\\ Institute\\ Administrator", - "-N '' -f Secret/ssh_admin/id_rsa"); + "-N '' -f Secret/ssh_admin/id_ed25519"); mysystem "mkdir Secret/ssh_monkey"; chmod 0700, "Secret/ssh_monkey"; mysystem "echo 'HashKnownHosts no' >Secret/ssh_monkey/config"; - mysystem ("ssh-keygen -q -t rsa -C monkey\@core", - "-N '' -f Secret/ssh_monkey/id_rsa"); + mysystem ("ssh-keygen -q -t ed25519", + "-C monkey\@core.$domain_priv", + "-N '' -f Secret/ssh_monkey/id_ed25519"); exit; } diff --git a/roles_t/core/tasks/main.yml b/roles_t/core/tasks/main.yml index 90e0b8a..bbc93e8 100644 --- a/roles_t/core/tasks/main.yml +++ b/roles_t/core/tasks/main.yml @@ -230,9 +230,9 @@ owner: monkey group: monkey loop: - - { name: config, mode: "u=rw,g=r,o=" } - - { name: id_rsa.pub, mode: "u=rw,g=r,o=r" } - - { name: id_rsa, mode: "u=rw,g=,o=" } + - { name: config, mode: "u=rw,g=r,o=" } + - { name: id_ed25519.pub, mode: "u=rw,g=r,o=r" } + - { name: id_ed25519, mode: "u=rw,g=,o=" } - name: Configure Monkey SSH known hosts. become: yes diff --git a/roles_t/front/tasks/main.yml b/roles_t/front/tasks/main.yml index 24809dd..f3dd75a 100644 --- a/roles_t/front/tasks/main.yml +++ b/roles_t/front/tasks/main.yml @@ -39,11 +39,9 @@ - name: Authorize monkey@core. become: yes - vars: - pubkeyfile: ../Secret/ssh_monkey/id_rsa.pub authorized_key: user: monkey - key: "{{ lookup('file', pubkeyfile) }}" + key: "{{ lookup('file', '../Secret/ssh_monkey/id_ed25519.pub') }}" manage_dir: yes - name: Add {{ ansible_user }} to monkey group. -- 2.47.3